We still use AST nodes (ScopeNodes, particularly FunctionBodyNodes) within
the runtime, which means that these nodes must be persisted outside of the
arena, contain both parser & runtime data, etc. This is all a bit of a mess.

Implement accelerated compositing of -webkit-mask, when combined
with already-composited content.

RenderLayerBacking now creates an additional GraphicsLayer for the mask contents,
and sets this as the mask on another GraphicsLayer via the setMaskLayer() method.
GraphicsLayerCA then applies the mask using -[CALayer setMask:].

The enum values for GraphicsLayerPaintingPhase were renamed to avoid the
confusion with "mask", and a new value, GraphicsLayerPaintMask, was added which
indicates that just the mask is painting.

When painting the composited mask, we need to paint with the normal compositing
mode rather than CompositeDestinationIn, so InlineFlowBox and RenderBox now consult
layer()->hasCompositedMask() to pick the mode. If the mask is composited, they no longer
need to make transparency layers.

We no longer have to throw video rendering into software because of masks.

When a masked element has composited descendants, that element needs to
become composited so that the mask can be applied via compositing.

The foreground GraphicsLayer (used to render element foreground when the element has
negative z-order children) was misplaced when there is a clipping layer (which clips
children). The foreground layer is parented under the clipping layer so that the foreground
depth-sorts with the layer's children, so its geometry needs to be computed relative to
that clipping layer.

Also clarified some FIXME comments, and corrected a debug-only layer name.

r47313 made TreeShared types start with a ref-count of 1, but SVGElementInstance was mistakenly
not updated to have a create method that adopted the initial reference. This lead to the instances
of SVGElementInstance allocated by SVGUseElement being leaked.

EvalCodeCache::get was heap-allocating an EvalExecutable instance without adopting the initial reference.
While fixing this we noticed that EvalExecutable was a RefCounted type that was sometimes stack allocated.
To make this cleaner and to prevent clients from attempting to ref a stack-allocated instance, we move the
refcounting down to a new CacheableEvalExecutable class that derives from EvalExecutable. EvalCodeCache::get
now uses CacheableEvalExecutable::create and avoids the leak.

CFNetwork isn't present in the framework search path on Mac OS X so we can't directly include its headers.
We include CoreServices.h, the umbrella framework that contains CFNetwork, from the prefix header which
results in the CFNetwork headers being included on Mac OS X. CoreServices.h doesn't include CFNetwork.h on
Windows though so we explicitly include this header from the prefix header when on Windows.

WebCorePrefix.h:

platform/network/cf/DNSCFNet.cpp: Remove #include that is no longer needed.

WebCore: ​https://bugs.webkit.org/show_bug.cgi?id=27323
Only add Cygwin to the path when it isn't already there. This avoids
causing problems for people who purposefully have non-Cygwin versions of
executables like svn in front of the Cygwin ones in their paths.

Reviewed by Steve Falkenburg.

WebCore.vcproj/QTMovieWin.vcproj:

WebCore.vcproj/WebCoreCommon.vsprops:

WebCore.vcproj/WebCoreGenerated.vcproj:

WebKit/win: ​https://bugs.webkit.org/show_bug.cgi?id=27323
Only add Cygwin to the path when it isn't already there. This avoids
causing problems for people who purposefully have non-Cygwin versions of
executables like svn in front of the Cygwin ones in their paths.

Reviewed by Steve Falkenburg.

WebKit.vcproj/Interfaces.vcproj:

WebKit.vcproj/InterfacesGenerated.vcproj:

WebKit.vcproj/WebKit.vcproj:

WebKit.vcproj/WebKitGUID.vcproj:

WebKitTools: ​https://bugs.webkit.org/show_bug.cgi?id=27323
Only add Cygwin to the path when it isn't already there. This avoids
causing problems for people who purposefully have non-Cygwin versions of
executables like svn in front of the Cygwin ones in their paths.

Also, tightened up behavior of XMLHttpRequest with cross-origin redirects and access control. We have not implemented redirects
for access control, so we should never redirect across origins. But in two edge cases, we were:

Also, tightened up behavior of XMLHttpRequest with cross-origin redirects and access control. We have not implemented
redirects access control, so we should never redirect across origins. But in two edge cases, we were:

A particular version of the MediaWiki software detects WebKit through
user agent sniffing and imports a style sheet called KHTMLFixes.css,
which contains a single rule that was meant to work around some KHTML
bug, but currently has the sole effect of causing the float containing
the main article content to extend all the way to the left and thus push
down the left navigation pane.

css/CSSImportRule.cpp:

(WebCore::CSSImportRule::setCSSStyleSheet): If site specific hacks are
enabled, check if the imported style sheet is the MediaWiki
KHTMLFixes.css. If so, remove the offending rule.

Allow image decoders to down-sample the image directly
to scaled output buffer. This can be enabled/disabled by
macro ENABLE(IMAGE_DECODER_DOWN_SAMPLING).
Only JPEG and PNG decoders are modified to support it now.​https://bugs.webkit.org/show_bug.cgi?id=28308

Allow image decoders to down-sample the image directly
to scaled output buffer. This can be enabled/disabled by
macro ENABLE(IMAGE_DECODER_DOWN_SAMPLING).
Only JPEG and PNG decoders are modified to support it now.​https://bugs.webkit.org/show_bug.cgi?id=28308

(WebCore::AccessibilityRenderObject::accessibilityParentForImageMap):
Get at usemap attribute directly.

editing/DeleteButtonController.cpp:

(WebCore::DeleteButtonController::createDeletionUI):
Get at id attribute directly.

editing/EditorCommand.cpp:

(WebCore::executeInsertHorizontalRule): Ditto.

html/HTMLDocument.cpp:

(WebCore::HTMLDocument::dir): Get at dir attribute of body directly.
(WebCore::HTMLDocument::setDir): Ditto.

html/HTMLElement.cpp: Deleted unused functions.

html/HTMLElement.h: Ditto.

html/HTMLImageElement.cpp: Deleted unused functions.

(WebCore::HTMLImageElement::alt): Changed to return const AtomicString&.
(WebCore::HTMLImageElement::addSubresourceAttributeURLs): Changed to
get at usemap attribute directly, but added a FIXME because although
it is what the old code did, it looks to not be entirely correct.

html/HTMLImageElement.h: Deleted unused functions.

rendering/HitTestResult.cpp:

(WebCore::HitTestResult::altDisplayString): Get at alt attribute directly.

(WebCore::HTMLFrameElement::HTMLFrameElement): Initialize m_noResize.
(WebCore::HTMLFrameElement::parseMappedAttribute): Set m_noResize to true
here if noresizeAttr is changed. This code was moved here from
HTMLFrameElementBase, but I added some FIXME comments.
(WebCore::HTMLFrameElement::setNoResize): Set the attribute based on
boolean argument. Moved here from HTMLFrameElementBase.

(WebCore::HTMLViewSourceDocument::HTMLViewSourceDocument): Don't initialize
pointers any more since RefPtr starts 0 by default.
(WebCore::HTMLViewSourceDocument::createContainingTable): Use more specific
types for local variables.
(WebCore::HTMLViewSourceDocument::addSpanWithClassName): Return a PassRefPtr,
and use a RefPtr of a more specific type for a local variable.
(WebCore::HTMLViewSourceDocument::addLine): Use more specific types for local
variables, and use RefPtr as well.
(WebCore::HTMLViewSourceDocument::addLink): Return a PassRefPtr, and use a
RefPtr of a more specific type for a local variable.

around names used inside {}. Added new createWithNew property for tags
that makes the factory use a create function instead of calling new.
Renamed functions with initialize in their name to have default in their
name, since they return an array full of default values and don't themselves
initialize anything.

After selecting an option element with an 'onpick' event associated with a 'go' task,
the navigation is executed. When going back in history, the same 'onpick' event is fired
again. Fix that problem, add wml/option-element-onpick-recursion.html covering the bug.

WebView/WebTextCompletionController.mm: Added using std::max
and using std::min statements.
(-[WebTextCompletionController _placePopupWindow:]): Changed
type of maxWidth variable from float to CGFloat to prevent a
type mismatch on x86_64. Changed MAX() to max() and MIN() to
min(). Added static_cast for a constant value since CGFloat is
defined as a float on i386 and as a double on x86_64.

Change the order of freeParenthesesDisjunctionContext and
popParenthesesDisjunctionContext on all call sites as the pop
method is accessing backTrack->lastContext which is the context
that is about to be freed.

Replaced logFocusEvents() with setLogFocusEvents(), which takes a
boolean argument to turn logging of focus events on or off.
Added a function to reset the AccessibilityController to a consistent
state.

(AccessibilityController::~AccessibilityController):
Turn off focus event logging when the controller is destroyed.
(AccessibilityController::setLogFocusEvents):
If the caller passes false, unhook the focus event, and clear
m_focusEventHook.

(WebCore::Attr::Attr): Added a call to createTextChild here so callers don't
have to call it explicitly.
(WebCore::Attr::create): Added.
(WebCore::Attr::setValue): Changed to take AtomicString.
(WebCore::Attr::cloneNode): Use create.

(WebCore::Node::initialRefCount): Added. Inline helper function for
the constructor.
(WebCore::Node::isContainer): Ditto.
(WebCore::Node::isElement): Ditto.
(WebCore::Node::isText): Ditto.
(WebCore::Node::Node): Changed to take a construction type argument.
Since m_document is now a normal pointer, added a call to selfOnlyRef.
(WebCore::Node::~Node): Ditto, but selfOnlyDeref.
(WebCore::Node::setDocument): Added selfOnlyRef/Deref calls.
(WebCore::Node::appendTextContent): Use the data function instead of
calling nodeValue functions, which do the same thing in a roundabout way.

dom/Node.h: Made the constructor protected and replaced the multiple

arguments iwth a single ConstructionType argument. Sorted the public
things first.

On Windows, include windows.h, and add a member variable to hold the
handle to the event hook for focus events. Add a declaration for a
function that enables logging of focus events.

DumpRenderTree/gtk/AccessibilityControllerGtk.cpp:

(AccessibilityController::logFocusEvents):
Stubbed.

DumpRenderTree/mac/AccessibilityControllerMac.mm:

(AccessibilityController::logFocusEvents):
Stubbed.

DumpRenderTree/win/AccessibilityControllerWin.cpp:

(AccessibilityController::AccessibilityController):
(AccessibilityController::~AccessibilityController):
If we hooked the focus event, unhook it.
(logFocusEventProc):
When we receive a focus event, get the accessible object for the event,
and log its name to stdout.
(AccessibilityController::logFocusEvents):
Setup the focus event hook to listen for events in the current process.

accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::AXObjectCache):
Changed to take a pointer to its owner document. This is used by
AXObjectCache::handleFocusedUIElementChanged().
(WebCore::AXObjectCache::focusedUIElementForPage):
Code moved from AccessibilityRenderObject::focusedUIElement(). Modified
to be a static function and to take a pointer to a Page.
(WebCore::AXObjectCache::platformGenerateAXID):
Moved the code to generate the next AXID from getAXID() to here. Added
a #if to make this non-WIN only, because Windows has its own
implementation.
(WebCore::AXObjectCache::getAXID):
Ensure that we generate a positive AXID, ranging from 1 to LONG_MAX.

accessibility/AXObjectCache.h:
Add a declaration for Document and Page. Removed the declaration of
AccessibilityObject, because we include the header. Reordered the
declaration of Node alphabetically. Moved the typedef for AXID to
AccessibilityObject. Removed some trailing whitespace. Added a member
variable to hold a pointer to the owner Document.
(WebCore::AXObjectCache::AXObjectCache):
Changed to take a pointer to its owner Document.
(WebCore::AXObjectCache::focusedUIElementForPage):
Added; code moved from AccessiblityRenderObject::focusedUIElement().
Returns the focused element with respect to accessibility.
(WebCore::AXObjectCache::platformGenerateAXID):
Declare a function to generate an AXID.
(WebCore::AXObjectCache::objectFromAXID):
Return the AccessibilityObject with the given AXID.

accessibility/AccessibilityObject.h:
Moved the typedef for AXID from AXObjectCache to here. Made the m_id
member use the typedef.
(WebCore::AccessibilityObject::axObjectID):
Changed the return type to use the typedef.
(WebCore::AccessibilityObject::setAXObjectID):
Changed the argument type to use the typedef.

accessibility/AccessibilityRenderObject.cpp:
Removed some unneeded #includes.
(WebCore::AccessibilityRenderObject::focusedUIElement):
Moved the code to AXObjectCache::focusedUIElementForPage(), which we now
call.

accessibility/win/AXObjectCacheWin.cpp:
(WebCore::AXObjectCache::platformGenerateAXID):
Ensure that we generate an AXID that is in the range 1 to LONG_MAX.
(WebCore::AXObjectCache::handleFocusedUIElementChanged):
If the Document has no Page, return. If the Page has not focused
element (respecting accessibility), return. Assert that the
accessibility of the focused element is not ignored, and that the
object's AXID will be negative and fit into a LONG when negated.
Broadcast a focus event for the object.

dom/Document.cpp:
(WebCore::Document::axObjectCache):
Pass this when creating the AXObjectCache.
(WebCore::Document::setFocusedNode):
Call AXObjectCache::handleFocusedUIElementChanged() on Windows.

​https://bugs.webkit.org/show_bug.cgi?id=28324
First ever test using page cache!
The test verifies that override setting that enables page cache works correctly.
It navigates forward and then back and checks that onload is not fired again
but the timer continues firing.

The fix for bug 28295 assumed that image clients count the number of times
addClient/removeClient is called. That was true for CachedResource clients,
but not StyleGeneratedImage clients, which pass the call onto CSSImageGeneratorValue.

Fix by making CSSImageGeneratorValue count the number of times a client is
added/removed.

Remove the EvalNode and ProgramNode from use in the runtime. They still exist
after this patch, but are hidden behind EvalExecutable and FunctionExecutable,
and are also still reachable behind CodeBlock::m_ownerNode.

The next step will be to beat back FunctionBodyNode in the same fashion.
Then remove the usage via CodeBlock, then only construct these nodes only on
demand during bytecode generation.

platform/haiku/RenderThemeHaiku.cpp: Included RenderThemeHaiku.h
instead of RenderTheme.h.
(WebCore::RenderThemeHaiku::paintCheckbox): Removed the wrong 'virtual'
before the function.
(WebCore::RenderThemeHaiku::paintRadio): Removed the wrong 'virtual'
before the function.

Make the Arguments object conform to the behaviour specified in ES5.
The simple portion of this is to make Arguments use Array.prototype
as its prototype rather than Object.prototype.

The spec then requires us to set instance.constructor to the pristine
Object constructor, and instance.toString and instance.toLocaleString
to the pristine versions from Object.prototype. To do this we now
make the ObjectPrototype constructor return its toString and
toLocaleString functions (similar to the call and apply functions
from FunctionPrototype).

Oddly enough this reports itself as a slight win, but given the code
isn't hit in the tests that claim to have improved I put this down to
code motion.

No new tests added since Access Control was already well tested and this is a pure refactor.

loader/DocumentThreadableLoader.cpp: Move a lot of the access control code from XHR in, preserving its
basic strategy. Also, modify the synchronous path to not be a special case, but reuse more of the async
path.

but more importantly, made it non-virtual (it was already inline)
so it is now as fast as JSObject::inherits was.

runtime/JSObject.h: Removed inherits function since the one

in the base class is fine as-is. Also made various JSCell functions
that should not be called on JSObject uncallable by making them
both private and not implemented.
(JSC::JSCell::inherits): Updated name.
(JSC::JSValue::inherits): Ditto.

Do not unref the main webview, it's owned by its parent
container. Instead destroy the container, which should take care
of everything (not terribly important since we exit right after
that, but still).

rendering/RenderObject.cpp:
(WebCore::RenderObject::updateFillImages):
Simplify the logic to call addClient()/removeClient() for every background
image, but go through the new layers first to avoid removing all the
clients of an image.

Add a bit to TypeInfo to indicate that an object uses the standard
JSObject::markChildren method. This allows us to devirtualise marking
of most objects (though a branch is still needed). We also add a branch
to identify arrays thus devirtualising marking in that case as well.

In order to make the best use of this devirtualisation I've also reworked
the MarkStack::drain() logic to make the iteration more efficient.

Also adds checking to throw an exception if arguments of the incorrect type are
passed to Geolocation methods. Adds a layout test to test this. This test should
pass on all platforms where Geolocation is implemented.

(WebCore::Geolocation::GeoNotifier::GeoNotifier): Modified. Asserts that PositionOptions object is present.
(WebCore::Geolocation::GeoNotifier::startTimer): Modified. Only starts timer if timeout has been set.

Utilizes functions that are being called upon drag and drop actions.
Uses different GTK clipboards that hold different types
of drag data - images, HTML markup, text, URL, URL label.
Also clears each clipboard before setting new data to it.

No new tests - despite some implementations, no new functionality
is added until implementations of the GTK drag and drop protocol
in WebKit part.

(JSC::op_call_JSFunction): Call isHostFunction on the body rather
than on the JSFunction.
(JSC::vm_lazyLinkCall): Ditto.
(JSC::op_construct_JSConstruct): Ditto.

parser/Grammar.y: Changed callers to use new scanRegExp with

out arguments instead of relying on state in the Lexer. And
callers that just want to skip a regular expression to use
skipRegExp.

parser/Lexer.cpp:

(JSC::Lexer::scanRegExp): Changed to use out arguments, and to
add a prefix argument so we can add in the "=" character as needed.
Also rewrote to streamline the logic a bit inspired by suggestions
by David Levin.
(JSC::Lexer::skipRegExp): Added. Version of the function above that
does not actually put the regular expression into a string.
(JSC::Lexer::clear): Removed code to clear m_pattern and m_flags.

parser/Lexer.h: Changed scanRegExp to have out arguments. Added

skipRegExp. Eliminated pattern, flags, m_pattern, and m_flags.

parser/NodeConstructors.h:

(JSC::RegExpNode::RegExpNode): Changed to take const Identifier&.

parser/Nodes.cpp:

(JSC::RegExpNode::emitBytecode): Changed since m_pattern and
m_flags are now Identifier instead of UString.
(JSC::FunctionBodyNode::make): Moved this function here instead
of putting it in the JSFunction.h header.

parser/Nodes.h: Changed RegExpNode to use Identifier.

profiler/Profiler.cpp:

(JSC::Profiler::createCallIdentifier): Changed to use isHostFunction
on the body instead of on the JSFunction object.

runtime/FunctionPrototype.cpp:

(JSC::functionProtoFuncToString): Ditto.

runtime/JSFunction.cpp:

(JSC::JSFunction::isHostFunction): Moved here from header.
(JSC::JSFunction::isHostFunctionNonInline): Added.
(JSC::JSFunction::JSFunction): Removed unneeded initialization of
m_body to 0.
(JSC::JSFunction::setBody): Moved here from header.

runtime/JSFunction.h: Removed unneeded includes. Moved private

constructor down to the private section. Made virtual functions
private. Removed unneeded overload of setBody and moved the body
of the function into the .cpp file. Changed assertions to use
the non-inline version of isHostFunction.

runtime/PropertySlot.cpp:

(JSC::PropertySlot::functionGetter): Use asFunction instead
of doing the unchecked static_cast.

(WebCore::JavaScriptDebugServer::sourceParsed):
Change to not assert if this is called with no listeners.
I don't think this was guaranteed before, and we now use
this code path when recompiling. Slightly less efficient,
but this is a one-time cost when turning on the debugger.
(WebCore::JavaScriptDebugServer::recompileAllJSFunctions):
Change to call Debugger::recompileAllJSFunctions.

media/video-played.html seems always to time out in Windows Debug
builds. A race condition between media/video-test.js's "hang" timer and
DumpRenderTree's built-in "watchdog" timer was causing results for
media/video-played.html to be printed twice, causing all future media
tests to be compared to the previous test's results.

The fix is to make the watchdog timer got through the same code path
as calling notifyDone manually, so that the results will only get
printed once. A subsequent patch will remove video-test.js's hang
timer entirely, since it is redundant.

(LayoutTestController::waitToDumpWatchdogTimerFired): Added. Code came
from Gtk/Mac/Win's watchdog timer handlers, but we now call
notifyDone() instead of dump() so that a subsequent call to
notifyDone() won't print the results out again.

The destination image and the source image was mixed up on creating the
imageData.

This is just a clean up and doesn't affect the current behavior. It's not
possible to test this failure in a LayoutTest. Only canvas uses getImageData
at the moment and returns before calling getImageData, if the image rect does
not contain the requested rect.

RenderFlexibleBox and RenderTable were using the width of overflow
to update height of overflow, so height became wrong value and
width was not updated. As the corresponding code of RenderBlock
was sane, I factored it out and used from RenderFlexibleBox and
RenderTable.

RenderFlexibleBox and RenderTable were using the width of overflow
to update height of overflow, so height became wrong value and
width was not updated. As the corresponding code of RenderBlock
was sane, I factored it out and used from RenderFlexibleBox and
RenderTable.

rendering/RenderBlock.cpp:
(WebCore::RenderBlock::updateOverflowWithShadowAndReflection): created from code of layoutBlock
(WebCore::RenderBlock::layoutBlock):